Five ways to rob a bank using the internet

This year a bank robber stole £1.3 million without touching a penny. Today's master criminals are swapping shotguns for software – here's how they do it

Earlier this year, a man walked into a branch of Barclays in north London and stole £1.3 million without touching a single bank note. Instead, he posed as an IT technician and installed a device to siphon off the cash electronically.

News of the robbery emerged last month when eight men were arrested, a week after police foiled a similar plot against Santander. It seems that bank robbers are giving up shotguns for software. Here's how they do it.

Bogus tech support

The Barclays and Santander plots involved installing a device called a keyboard video mouse switch. These are commonly used in data centres to control multiple computers from a single terminal, and by connecting it to a 3G router the crooks were able to remotely access Barclays' machines over the cellphone network. They used this to transfer money to their own accounts, but Barclays noticed and reported the theft a day later.

"The hard part is not getting in the bank to do the transfer, but getting the money out of the bank into some form you can spend without getting caught in the process," says Steven Murdoch, a security researcher at the University of Cambridge.

Go phishing

If you can't rob a bank directly, go after its customers. These days most of us know not to open suspicious emails claiming to be from their bank, but people do still fall for such phishing attempts, inadvertently handing over their passwords to crooks by logging in to fake websites. Many banks now issue physical tokens that provide secondary authentication designed to foil these attacks, but not all do.

Convert your way to wealth

One unlikely way to take a bank's cash involves currency conversion. Swap $10 for pounds through your online account and you will receive £6.22 at current rates – your bank rounds to the nearest penny. But if you exchange 1 cent, the rounding means you will get 1 pence, a significant profit. Set software to do this over and over, and soon you will be sitting on a tidy sum.

Banks prevent this by setting a minimum conversion amount or limiting the number of exchanges per day, but some have only realised they were under attack once it was too late. "Two of our banking customers have lost money through currency-rounding attacks," says Mitja Kolsek of Acros Security in Maribor, Slovenia. "One of them lost around €30,000 before it noticed and blocked it."

Clone cards

Credit and debit cards are often targeted by criminals, either by stealing individual cards or modifying ATMs to record card details and PINs. The account details are copied on to blank cards and then used to withdraw money or buy goods to sell on.

Many countries use a chip and PIN system to prevent this, so criminals have got into the habit of taking cloned cards to the US, where the system is not yet in widespread use.

Bank robbers can knock out CCTV and disable alarms before they break into the bank. The electronic equivalent is a distributed denial-of-service attack (DDoS), in which large volumes of network traffic hammer a bank's systems, giving criminals the cover they need. "While the bank's IT staff is scrambling to keep its servers online and running, criminals are transferring money from users' accounts," says Kolsek. Last year the FBI warned that criminals could get their hands on millions using software costing just $200.

If you would like to reuse any content from New Scientist, either in print or online, please contact the syndication department first for permission. New Scientist does not own rights to photos, but there are a variety of licensing options available for use of articles and graphics we own the copyright to.